Unicode vulnerabilities that could byte you

The number of Unicode code points has never stopped growing just like its integration in modern technologies. Web applications you have developed or used are likely to support input and output formatted in UTF-8 character encoding.

In this talk, you will learn about the security implications of encoding conversion. Normalizing a UTF-8 string to ASCII only character has numerous potential side effects. The latest research affecting Unicode will be summarized including the HostSplit attack. The HostSplit attack abuses minor characters conversion to trigger open redirect or Server-Side Request Forgery (SSRF). Aside from normalization, uppercase and lowercase transformations can introduce vulnerabilities. Encoding can be used to circumvent security controls such as Web Application Firewalls. Additionally, punycode is the new representation to support domains with special characters outside of ASCII. This representation can be used to create visual confusion to end users.

While some issues were patched in major software, many risks remain or are likely to resurface. Get ready for a complete summary of everything security professionals should know about Unicode!

Learn more about Philippe Arteau

Philippe Arteau